Phishing is a crime, and one that takes the least effort – for the most part, with the potential for high reward. The primary purpose of phishing schemes is to con people into giving out their private information by sending emails that look very legitimate. Whether it is requesting banking information, or the most common one, prompting a user with a warning that their email account or other account needs some attention; these type of emails are tricking you into providing your personal information under the guise of a potential problem with your username and password. And, the main goal is to steal data, employee information, and/or cash.
“What really distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. It’s one of the oldest types of cyberattacks, dating back to the 1990s, and it’s still one of the most widespread and pernicious, with phishing messages and techniques becoming increasingly sophisticated.” – Josh Fruhlinger (CSO Online, 2017)
There are many types of phishing schemes that it makes it difficult for the common user to identify whether they are being targeted.
I’ve gathered and borrowed information from various sources which describe the many types of phishing attacks, to help you identify and recognize a phishing attack. The most common types of phishing schemes are: Mass-market email, spear phishing, whaling phishing, BEC phishing (Business Email Compromise), clone phishing, vishing, and snowshoeing.
Mass-market phishing: This is the most common form of phishing scheme. Someone sends you an email pretending to be someone else (Spoofing); instructing you to take action in one way or another, logging into a website, or downloading an attachment (usually malware). Primarily, these types of phishing attacks look like a service delivery notification, a warning message about passwords expiring, or a message about email storage quotas.
Spear phishing: These types of attacks target high value victims and organizations. Instead of targeting thousands of consumers, the attackers may find it more lucrative to target a selected number of individuals or businesses. A nation-state attack may target an employee working for another goernment agency, or a government official, to steal state secrets and large amounts of money in the process. Spear phishing attacks are highly successful, a lot of research time is spent, and carefully crafted information is gathered by the perpetrators in order to specifically target an individual or organization – such as referencing a conference receipt, or sending a malicious attachment where the filename makes reference to a specific topic of relevance to the victim.
According to CSO Online, a recent phishing campaign, Group 74 (a.k.a. Sofact, APT28, Fancy Bear) targeted cybersecurity professionals with an email pretending to be related to the Cyber Conflict U.S. conference, an event organized by the United States Military Academy’s Army Cyber Institute, the NATO Cooperative Cyber Military Academy, and the NATO Cooperative Cyber Defence Centre of Excellence. While CyCon is a real conference, the attachment was actually a document containing a malicious Visual Basic for Applications (VBA) macro that would download and execute reconnaissance malware called Seduploader.
Whaling phishing: This phishing attack targets specifically the top executives of an organization – the big fish, thus the term “Whaling”. Those potential victims are of high value, and their information can provide higher returns if successfully phished. Again we see another sophisticated phishing scheme, because in-depth research needs to be done by the attacker(s). These attacks come in the form of legal subpoenas, customer complaints, or executive level communications.
BEC phishing (Business Email Compromise): By impersonating financial officers and CEOs, criminals attempt to trick victims into initiating money transfers into unauthorized accounts.
Typically, attackers compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear phishing attack (stealing username and password). The attacker lurks and monitors the executive’s email activity for a period of time to learn about processes and procedures within the company. The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and it requests that the recipient send a wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.
According to the FBI’s Internet Crime Complaint Center, BEC scams have generated more than $4.5 billion in actual and attempted losses, and they are a massive global problem. – F. Rashid (CSO Online, 2017)
Clone phishing: This type of attack requires the attacker to create a nearly identical replica of a legitimate message (We’ve seen many of those at work). The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one. The attacker may say something along the lines of having to resend the original, or an updated version, to explain why the victim was receiving the “same” message again. Some clone phishing go to the lengths into creating a cloned website to further trick the victim.
Vishing: Not all scams are targeted via email, recently, criminals have resorted to use phone calls to try to trick people into sharing information (Social Security Numbers, Bank Accounts and PIN, Credit Card Numbers, etc.) by pretending to be calling from Microsoft’s Support Center, the IRS office, bank, etc. The attack may leave you a message instructing you to call back to a number to “fix” your incident related issue. Again, the main purpose to steal personal information, and/or cash.
Snowshoeing phishing: Also called “hit-and-run” phishing attacks requires attackers to send out messages through multiple domains and IP addresses. Messages are sent at a low volume, so spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it into your inbox before the filters identify to block the offending messages.
For most of the phishing attacks, the criminals leverage the use of social engineering to gather information about the company, or an individual in the case of whaling attacks, and also criminals are becoming more sophisticated with their tactics. Some criminals, have taken to use machine learning or artificial intelligence technologies. It is then more and more the responsibility of a savvy user to identify, and report these kinds of attacks. For example, spam filters are not useful against whaling and BEC attacks.
But how do you prevent phishing, or falling victim to a phishing attack?
It has become so much harder to identify a phishing attack nowadays. However, the best way to learn to spot phishing emails is to learn from examples of attacks captured in the wild. Check the video below for “How to Spot a Phishing Email” Since I work at Northwestern University, here are some examples of phishing emails that have been identified and blocked by our Information Security Office
There also are a number of steps you can take and mindsets you should get into that will keep you from becoming a phishing statistic, including:
- Always check the spelling of the URLs in email links before you click or enter sensitive information
- Watch out for URL redirects, where you’re subtly sent to a different website with identical design
- If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply
- Don’t post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media
- If you suspect you have received a phishing scam email, don’t hesitate to contact your local IT Department, they are always looking forward to help you, and to help prevent the spread of such email scams.